Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Monitoring GTP Traffic

The GPRS Tunneling Protocol (GTP) establishes a GTP tunnel for a user equipment, between a Service gateway GPRS support node (SGSN) and gateway GPRS support node (GGSN), and an SGSN and mobility management entity (MME). The SGSN receives packets from the user equipment and encapsulates them within a GTP header before forwarding them to the GGSN through the GTP tunnel. When the GGSN receives the packets, it decapsulates the packets and forwards the packets to the external host.

Understanding GTP-U Inspection

The GPRS tunneling protocol user plane (GTP-U) inspection performs security checks on GTP-U packets. When GTP-U inspection is enabled, the invalid GTP-U packets are blocked and the GPRS support node (GSN) is protected from a GTP-U attack.

Once GTP-U inspection is enabled and depending on the device configuration, GTP-U inspection might include checks on GTP-in-GTP packets, end-user authorization, packet sequence validity, and tunnel validity. If any configured check fails, the GTP-U packet is dropped.

If the GTP-U inspection is enabled while the GTP-U distribution is disabled then the following message is displayed: GTP-U inspection is enabled, please enable GTP-U distribution to ensure that GTP-U packets are inspected by the proper inspectors, and avoid dropping GTP-U packets wrongly. Execute CLI “set security forwarding-process application-services enable-gtpu-distribution" to enable GTP-U distribution. It is strongly recommended that when you enable GTP-U inspection, GTP-U distribution should also be enabled.

Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, on SRX5400, SRX5600, and SRX5800 devices, if the GTP profile is configured then the GTP module will select the anchor SPU for distributing the UDP traffic coming on port 2123 and 2152. If you do not configure the GTP profile, then the GTP module will not work and it will not select the anchor SPU for the UDP traffic on port 2123 and 2152.

The following list describes the various types of GTP-U inspections that are performed on the traffic:

  • GTP-U tunnel check—The GTP-U module checks that the GTP-U packet matches a GTP tunnel. If no tunnel matches the GTP-U packet, then the GTP-U packet is dropped.

  • GTP-in-GTP check—In the SPU, the GTP module checks to ensure that the GTP-U payload is not a GTP packet. If the payload is a GTP packet, then the GTP packet is dropped.

  • End-user address check—If the user tunnel is found for the GTP-U packet, then the GTP-U module checks for the end-user address. If the GTP-U payload address does not match the end-user address, then the GTP-U packet is dropped.

    Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, the end-user address in certain scenarios is not carried in GTP create messages. For example, if DHCPv4 is used for IPv4 address allocation, the IPv4 address field in the GTP create message will be set to 0.0.0.0. The user equipment and GGSN/PGW get the address from the DHCP server. In this scenario, the GTP module cannot get the address for the end-user address check. Subsequently, if this configuration is enabled, the GTP create message will be dropped.

  • Sequence number check—The GTP-U module compares the GTP-U packet sequence number with the sequence number stored in the GTP-U tunnel. If it is not in the specified range, then the GTP-U packet is dropped. If it is in the range, then the GTP-U tunnel refreshes the sequence number and allows the GTP-U packet to pass.

At the end of the GTP-U inspection, the GTP-U tunnel refreshes the timers and counters.

Understanding GTP Tunnel Enhancements

A GPRS tunneling protocol (GTP) tunnel is a channel between two GPRS support nodes through which two hosts exchange data. The GTP tunnel consists of the GTP control plane (GTP-C) and GTP user plane (GTP-U). GTP-C is used to signaling between the gateway GPRS support node (GGSN) and the serving GPRS support node (SGSN), while the GTP-U tunnel is used to encapsulate and route the user plane traffic across multiple signaling interfaces.

GTP handling is enhanced to update the GTP tunnel and session lifetime to avoid GTP tunnel timeout issues. The GTP tunnel timeout value is configured in the GTP profile and bound to the GTP user plane (GTP-U) tunnel. The timer value is refreshed when the data traffic reaches the GTP-U tunnel and the timer value decreases when the GTP-U tunnel is in idle state. The GTP-U tunnel is deleted when the timer value decreases to zero and the corresponding GTP-C tunnel is also deleted when all GTP-U tunnels bound to the GTP-C tunnels are deleted.

When GTP-U inspection is disabled, data traffic is unable to refresh the GTP-U tunnel after the timer value expires and all GTP tunnels timeout even though data traffic flows across the tunnels. In this scenario, since the GTP tunnels need to be updated, the device drops the update request as the GTP-U tunnel is not present.

To avoid GTP tunnel timeout issues, even if the GTP user validation is disabled, the GTP-U traffic can refresh the GTP tunnel. GTP-U traffic can refresh only GTPv1 and GTPv2 tunnels, and not GTPv0 tunnels. You need to configure the set security forwarding-process application-services enable-gtpu-distribution command to avoid aging of or expiry of the GTP tunnels.

The GTP-U tunnel has a session attach flag that is checked when scanning the GTP-U tunnels. If the session attach flag is present in the tunnel, the timer value does not decrease and prevents the tunnel from being deleted while the tunnel is in service.

On SRX5400, SRX5600, and SRX5800 devices, the number of GTP tunnels supported per SPU is increased from 200,000 tunnels to 600,000 tunnels per SPU, for a total of 2,400,000 tunnels per SPC2 card.

Understand Validation of IP Address in GTP Messages

IP addresses in GPRS tunneling protocol (GTP) message on Gp or the S8 interface are validated with the configured IP group list to prevent attacks. IP group list is a list of IP addresses that belongs to all kinds of network equipment. You must configure the IP addresses that belongs to network equipment in the IP group list.

S8 - This interface connects an SGW in a visited PLMN (VPLM) and a PGW in a home PLMN (HPLMN). S8 is the inter-PLMN variant of S5. The S8 interface is equivalent to the Gp interface in a 3G mobile network.

The GTP firewall determines if the IP addresses in GTP messages and matches with the configured IP group list, and following action takes place-

  • If the IP addresses are found in the IP group list, the GTP messages are considered valid and forwarded to Packet and Forwarding Engine.

  • If the IP addresses are not found in the IP group list, the GTP messages are dropped.

IP Group Setup in GTP Message

IP group is a list of IP addresses that belongs to all kinds of network equipment. IP group name(s) are referenced in GTP profiles. The GTP firewall applies configured policies in incoming and outgoing IP addresses in GPRS tunneling protocol (GTP) message mentioned in Table 2 and Table 3.

For example, the traffic between client and server in Figure 1, there are two policies configured.

  • GTP Policy Out is for the traffic from client to server.

  • GTP Policy In is for the traffic from server to client.

Figure 1: GTP Profile for incoming and outgoing GTP messagesGTP Profile for incoming and outgoing GTP messages

All the IP addresses of client and server must be configured in the IP group list and bound to the GTP Policy Out and GTP Policy In policies.

There are two different types of groups are introduced for different IP addresses. One is for NE IP addresses group, and the other is for User Equipment (UE) IP addresses group listed as in Table 1.

Table 1: Network Equipment and User Equipment IP Address Support on Various Networks

Network Types

Network Equipment IP Address

User Equipment IP Address

2G(GPRS) and 3G(UMTS)

RNC, SGSN and GGSN

End User Address

4G(LTE)

eNodeB, MME, SGW and PGW

PDN Address Allocation (PAA)

When GTP messages comes to message handler stage, network equipment IP addresses group and user equipment IP addresses group are validated respectively based on the parsed information elements and IP address header information.

  • Network equipment IP addresses group: IP address header and information element IP address in GTP message are compared against the configured network equipment IP addresses group list (if exist). If the NE IP address is found in the configured NE IP addresses group, pass the data packet to UE IP addresses group else drop the packet.

  • User equipment IP addresses group: All end user IP addresses are validated against the configured user equipment IP addresses group list. If the user equipment IP address is found in the configured user equipment IP addresses group, pass the data packet else drop the packet.

Supported GTP messages

There are many types of messages pass through Gp or S8 interfaces, some of the supported GTP messages are following.

Table 2: GTPv0 Messages

Message Type

GTP Message

Reference in TS 29.060

1

Echo Request

7.4.1

2

Echo Response

7.4.2

16

Create PDP Context Request

7.5.1

17

Create PDP Context Response

7.5.2

18

Update PDP Context Request

7.5.3

19

Update PDP Context Response

7.5.4

20

Delete PDP Context Request

7.5.5

21

Delete PDP Context Response

7.5.6

22

Create AA PDP Context Request

7.5.7

23

Create AA PDP Context Response

7.5.8

24

Delete AA PDP Context Request

7.5.9

25

Delete AA PDP Context Response

7.5.10

Table 3: GTPv1 Messages

Message Type

GTP Message

Reference in TS 29.060

1

Echo Request

7.2.1

2

Echo Response

7.2.2

16

Create PDP Context Request

7.3.1

17

Create PDP Context Response

7.3.2

18

Update PDP Context Request

7.3.3

19

Update PDP Context Response

7.3.4

20

Delete PDP Context Request

7.3.5

21

Delete PDP Context Response

7.3.6

Table 4: GTPv2 Messages

Message Type

GTP Message

Reference 3GPP TS 29.274

1

Echo Request

23.007

2

Echo Response

23.007

32

Create Session Request

29.274

33

Create Session Response

29.274

36

Delete Session Request

29.274

37

Delete Session Response

29.274

34

Modify Bearer Request

29.274

35

Modify Bearer Response

29.274

95

Create Bearer Request

29.274

96

Create Bearer Response

29.274

97

Update Bearer Request

29.274

98

Update Bearer Response

29.274

99

Delete Bearer Request

29.274

100

Delete Bearer Response

29.274

IEs involved in IP validity

The following are the information elements (IE) messages belonging to 3GPP Gp or S8 interface.

IEs are configured on Gp or the S8 interface, if an unexpected IE appears in the message, it might be ignored and not be checked even if it is an NE IP address.

Table 5: IEs in GTPv0 messages

GTP Message

Address Type

IE Type

Create PDP Context RequestCreate AA PDP Context Request

End User AddressSGSN Address for signallingSGSN Address for user traffic

End User AddressGSN AddressGSN Address

Create PDP Context ResponseCreate AA PDP Context Response

End user addressGGSN Address for signallingGGSN Address for user traffic

End User AddressGSN AddressGSN Address

Update PDP Context Request

SGSN Address for signallingSGSN Address for user traffic

GSN AddressGSN Address

Update PDP Context Response

GGSN Address for signallingGGSN Address for user traffic

GSN AddressGSN Address

Table 6: GTPv1 messages

GTP Message

Address Type

IE Type

Create PDP Context Request

End User AddressSGSN Address for signallingSGSN Address for user traffic

End User AddressGSN AddressGSN Address

Create PDP Context Response

End user addressGGSN Address for signallingGGSN Address for user trafficAlternative GGSN Address for Control PlaneAlternative GGSN Address for user traffic

End User AddressGSN AddressGSN AddressGSN AddressGSN Address

Update PDP Context Request (SGSN-initiated)

SGSN Address for signallingSGSN Address for user trafficAlternative SGSN Address for Control PlaneAlternative SGSN Address for user traffic

GSN AddressGSN AddressGSN AddressGSN Address

Update PDP Context Request (GGSN-initiated)

End User Address

End User Address

Update PDP Context Response (by GGSN)

GGSN Address for signallingGGSN Address for user trafficAlternative GGSN Address for Control PlaneAlternative GGSN Address for user traffic

GSN AddressGSN AddressGSN AddressGSN Address

Update PDP Context Response (by SGSN)

SGSN Address for User Traffic

GSN Address

Table 7: GTPv2 messages

GTP Message/Bearer Context

Address Type

IE Type

Create Session Request

Sender Address for Control PlanePDN Address AllocationH(e)NB Local IP AddressMME/S4-SGSN Identifier

F-TEIDPAAIP AddressIP Address

Create Session Request (Bearer context to be created)

S5/S8-U SGW F-TEID

F-TEID

Create Session Response

PGW S5/S8 F-TEID for Control Plane interfacePDN Address Allocation

F-TEIDPAA

Create Session Response (Bearer context to be created)

S5/S8-U PGW F-TEID

F-TEID

Create Bearer Request (Bearer context)

S5/8-U PGW F-TEID

F-TEID

Create Bearer Response

MME/S4-SGSN Identifier

IP Address

Create Bearer Response (Bearer context)

S5/8-U SGW F-TEIDS5/8-U PGW F-TEID

F-TEIDF-TEID

Modify Bearer Request

Sender Address for Control PlaneH(e)NB Local IP AddressMME/S4-SGSN Identifier

F-TEIDIP AddressIP Address

Modify Bearer Request (Bearer context)

S5/8-U SGW F-TEID

F-TEID

Delete Session Request

Sender Address for Control Plane

F-TEID

Delete Bearer Response

MME/S4-SGSN Identifier

IP Address

Update Bearer Response

MME/S4-SGSN Identifier

IP Address

Example: Configure the Validity of IP Address in GTP Messages

This example shows how you configure IP address validity in GPRS tunneling protocol (GTP) message.

Requirements

SRX Series Firewall with Junos OS Release 19.3R1 or later. This configuration example is tested on Junos OS Release 19.3R1.

This example uses the following hardware and software components:

  • You need any one of the SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800, and vSRX Virtual Firewall instance.

  • User equipment that needs to connect to the Internet. You will also need a 3G or 4G mobile core network and a home and visited network.

Overview

In this example, you configure the validity of the IP address in GPRS tunneling protocol (GTP) message.

You can prevent a variety of attacks by validating the IP addresses of incoming and outgoing packets in GTP messages against the IP addresses configured in the IP group list. IP group is a list of IP addresses that belongs to all kinds of network equipment. IP group name(s) are referenced in GTP profiles. The GTP firewall applies configured policies in incoming and outgoing IP addresses in GPRS tunneling protocol (GTP) messages.

Configure IP Address in GTP Messages

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

CLI Quick Configuration

To configure IP address in the GTP messages:

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Step-by-Step Procedure
  1. Configure a GTP profile to process the traffic that goes to the GTP firewall.

  2. Configure the security zone to support inbound and outbound traffic for all system services for all interfaces connected.

  3. Specify the IP address in the global address book, these IP addresses are used for validating IP addresses in incoming or outgoing GTP messages.

  4. Configure the defined network equipment and user equipment IP address group to IP group list, this IP group list is used in GTP messages.

  5. Apply GTP profile to network equipment and user equipment groups.

  6. Enable the GTP service in the security policies.

Results

From configuration mode, confirm your configuration by entering the show security gprs command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your configuration by entering the show security zones command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your configuration by entering the show security address-book command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verify the IP Group

Purpose

Verify the IP Group is configured.

Action

Use the show security gprs gtp ip-group command to get the details of the configured IP group.

Verify the GTP profile

Purpose

Verify the GTP profile is configured.

Action

Use the show security gprs gtp configuration 1 command to get the details of the configured IP group.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D40
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, the end-user address in certain scenarios is not carried in GTP create messages.
15.1X49-D100
Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, on SRX5400, SRX5600, and SRX5800 devices, if the GTP profile is configured then the GTP module will select the anchor SPU for distributing the UDP traffic coming on port 2123 and 2152. If you do not configure the GTP profile, then the GTP module will not work and it will not select the anchor SPU for the UDP traffic on port 2123 and 2152.